Jump to content

PUP.Optional.Legacy and PUP.Winlogon.Heuristic False Positives in v7.2.3?


Recommended Posts

I've been running Adwcleaner pretty regularly in the past (about once a month), but this is the first time Adwcleaner has reported having such problems on my computer. I don't have access to a previous version to try and confirm a FP that way, but looking at the registry keys themselves makes it seem that way, since it's complaining about my Cisco VPN software, Windows SysAppTray, and the HP Security Manager linked to my Winlogon. Malwarebytes reports no other problems on my computer, so are these just false positives that I can safely ignore, or are they bigger threats that I should be concerned with?


Link to post
Share on other sites

  • Staff

***This is an automated reply***


Thanks for posting in the AdwCleaner Help forum.

Someone will reply shortly, but in the meantime here are a few resources which may help resolve your issue:

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

  • Staff


FPs related to your VPN are fixed with the current database update (no action required on your side, just a scan which will automatically fetch the latest database.

For the HP part, can you do me an export of the registry key please? (`HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon`)



Link to post
Share on other sites

As of the latest update, the two previous PUP.Optional.Legacy detections have vanished, so the only remaining one is the PUP.Winlogon.Heuristic. I'm not entirely sure what you mean by an export of the key, but the object it was complaining about (Userinit), is defined as follows: "C:\Windows\system32\userinit.exe,C:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe,"


Personally I think it's just triggering on the fact that another program is in the registry key aside from userinit.exe .

Link to post
Share on other sites


What he was asking for with regards to an export is an export of the key from the registry so that he may take a look at exactly how it is formatted and written in the registry to determine why it is being detected and so that he might import it into one of his own test systems for testing to hopefully correct the FP.

To create a registry export of the key please do the following:

  • Click on Start and select Run or press the Windows Key+R on your keyboard
  • In the Run box type regedit and press Enter or click on OK and click Yes if prompted by User Account Control
  • Navigate to the following location by clicking the little arrows next to the appropriate folders to expand them: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • Once there, right-click on the Winlogon folder and select Export and then save the file to your desktop or another location where you will be able to find it easily and give it a name such as winlogon
  • Locate the file and right-click on it and hover your mouse over Send to and select Compressed (zipped) folder
  • Attach the resulting ZIP folder you just created to your next reply

Link to post
Share on other sites

@fr33tux, @Elisabeth could one of you please jump in here to assist with this detection issue/FP?

I just shot him another notification along with Elisabeth who is another member of the team.  One of them should respond soon, but please post again if no one from the staff has replied by Monday evening (they may be out for the weekend so they may not be available until Monday morning).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.